knadh
if user with list role rights modifies a subscriber, the subscriber gets removed from all other lists
Version:
- listmonk: [eg: v4.1.0]
- OS: Docker (on CoreOS)
Description of the bug and steps to reproduce: given the following setup with two users, one of them having a list role
alice: super admin bob: list role with write rights on list a, role with all subscriber permissions
Steps to reproduce:
- alice adds a subscriber to a list a and list b
- bob removes the subscriber from list a (which he has the right to)
- notice that the subscriber also has been removed from list b (and all other lists he has been subscribed to
This is trickier than I thought.
User A has access to lists [a, b]. User B has access to lists [a, c]. S is subscribed to lists [a, b, c].
- When A logs in, on S, currently, A can see the list [c] although they don't have access to it.
- Similarly, B can see [a] on Sub although they don't have access to it.
If these lists on S are hidden from A and B, then they can't really know the true state of the subscriber. A will only see list [a] on S and would never know that S is on other lists. A way out here is to not hide the fact, but replace the name of the list with a constant name like *Restricted.
But what about the manage permission then? If S has a list on them that A doesn't have access to, then can A not delete the subscriber until that list is removed from the subscriber by B?
Hey @knadh, thanks for considering. Yes indeed this sounds tricky to get completely right 🙈
But what about the manage permission then? If S has a list on them that A doesn't have access to, then can A not delete the subscriber until that list is removed from the subscriber by B?
Maybe adding a subscribers:manage_all permission would make sense to handle this? That way, one could say that subscribers:manage indeed blocks deletion as long as the subscriber is still on an other list, while subscribers:manage_all would give permission to manage all subscribers regardless which lists they are subscribed to?